merge from HEAD

Author: Richard Jones

CHANGES.txt

@@ -11,6 +11,7 @@ Fixed:
 - 'roundup-server -S' always writes [trackers] section heading (sf bug 1088878)
 - fix port number as int in mysql connection info (sf bug 1082530)
 - fix setup.py to work with <Python2.3 (sf bug 1082801)
+- fix permissions checks in cgi templating (sf bug 1082755)
 
 
 2004-12-08 0.8.0b1

doc/announcement.txt

@@ -9,21 +9,8 @@ together a What's New page:
 
   http://roundup.sourceforge.net/doc-0.8/whatsnew-0.8.html
 
-Some highlights:
-
-* i18n of the user interface (not just web),
-* a re-working of the tracker home configuration to make it much cleaner,
-* many speed optimisations,
-* integration of the python logging module,
-* optional configuration of roundup-server through a configuration file,
-* creation of items check the new Create Permission rather than Edit now,
-* Permissions may be defined on a per-property basis,
-* Permissions may include a fragment of code to run to check,
-* optional HTTP Basic auth built in (Apache not required),
-* optional HTTP charset selection,
-* added mod_python interface,
-* optional instant web registration (rather than email confirmation), and
-* 30 or so other little feature additions... 
+This is a bugfix release, fixing:
+
 
 If you're upgrading from an older version of Roundup you *must* follow
 the "Software Upgrade" guidelines given in the maintenance documentation.

roundup/cgi/templating.py

@@ -645,8 +645,12 @@ def classhelp(self, properties=None, label=''"(list)", width='500',
 
     def submit(self, label=''"Submit New Entry"):
         ''' Generate a submit button (and action hidden element)
+
+        Generate nothing if we're not editable.
         '''
-        self.edit_check()
+        if not self.is_edit_ok():
+            return ''
+
         return self.input(type="hidden", name="@action", value="new") + \
             '\n' + \
             self.input(type="submit", name="submit", value=self._(label))
@@ -1171,37 +1175,33 @@ def field(self, size = 30):
 
             If not editable, just display the value via plain().
         '''
-        self.edit_check()
+        if not self.is_edit_ok():
+            return self.plain()
 
         if self._value is None:
             value = ''
         else:
             value = cgi.escape(str(self._value))
 
-        if self.is_edit_ok():
-            value = '"'.join(value.split('"'))
-            return self.input(name=self._formname,value=value,size=size)
-
-        return self.plain()
+        value = '"'.join(value.split('"'))
+        return self.input(name=self._formname,value=value,size=size)
 
     def multiline(self, escape=0, rows=5, cols=40):
         ''' Render a multiline form edit field for the property.
 
             If not editable, just display the plain() value in a <pre> tag.
         '''
-        self.edit_check()
+        if not self.is_edit_ok():
+            return '<pre>%s</pre>'%self.plain()
 
         if self._value is None:
             value = ''
         else:
             value = cgi.escape(str(self._value))
 
-        if self.is_edit_ok():
-            value = '&quot;'.join(value.split('"'))
-            return '<textarea name="%s" rows="%s" cols="%s">%s</textarea>'%(
-                self._formname, rows, cols, value)
-
-        return '<pre>%s</pre>'%self.plain()
+        value = '&quot;'.join(value.split('"'))
+        return '<textarea name="%s" rows="%s" cols="%s">%s</textarea>'%(
+            self._formname, rows, cols, value)
 
     def email(self, escape=1):
         ''' Render the value of the property as an obscured email address
@@ -1238,12 +1238,10 @@ def field(self, size = 30):
 
             If not editable, just display the value via plain().
         '''
-        self.edit_check()
-
-        if self.is_edit_ok():
-            return self.input(type="password", name=self._formname, size=size)
+        if not self.is_edit_ok():
+            return self.plain()
 
-        return self.plain()
+        return self.input(type="password", name=self._formname, size=size)
 
     def confirm(self, size = 30):
         ''' Render a second form edit field for the property, used for
@@ -1252,13 +1250,11 @@ def confirm(self, size = 30):
 
             If not editable, display nothing.
         '''
-        self.edit_check()
-
-        if self.is_edit_ok():
-            return self.input(type="password",
-                name="@confirm@%s"%self._formname, size=size)
+        if not self.is_edit_ok():
+            return ''
 
-        return ''
+        return self.input(type="password",
+            name="@confirm@%s"%self._formname, size=size)
 
 class NumberHTMLProperty(HTMLProperty):
     def plain(self):
@@ -1276,18 +1272,16 @@ def field(self, size = 30):
 
             If not editable, just display the value via plain().
         '''
-        self.edit_check()
+        if not self.is_edit_ok():
+            return self.plain()
 
         if self._value is None:
             value = ''
         else:
             value = cgi.escape(str(self._value))
 
-        if self.is_edit_ok():
-            value = '&quot;'.join(value.split('"'))
-            return self.input(name=self._formname,value=value,size=size)
-
-        return self.plain()
+        value = '&quot;'.join(value.split('"'))
+        return self.input(name=self._formname,value=value,size=size)
 
     def __int__(self):
         ''' Return an int of me
@@ -1315,8 +1309,6 @@ def field(self):
 
             If not editable, just display the value via plain().
         '''
-        self.edit_check()
-
         if not self.is_edit_ok():
             return self.plain()
 
@@ -1368,18 +1360,18 @@ def now(self, str_interval=None):
         '''
         self.view_check()
 
-	ret = date.Date('.', translator=self._client)
+        ret = date.Date('.', translator=self._client)
 
-	if isinstance(str_interval, basestring):
-		sign = 1
-		if str_interval[0] == '-':
-			sign = -1
-			str_interval = str_interval[1:]
-		interval = date.Interval(str_interval, translator=self._client)
-		if sign > 0:
-			ret = ret + interval
-		else:
-			ret = ret - interval
+        if isinstance(str_interval, basestring):
+            sign = 1
+            if str_interval[0] == '-':
+                sign = -1
+                str_interval = str_interval[1:]
+            interval = date.Interval(str_interval, translator=self._client)
+            if sign > 0:
+                ret = ret + interval
+            else:
+                ret = ret - interval
 
         return DateHTMLProperty(self._client, self._classname, self._nodeid,
             self._prop, self._formname, ret)
@@ -1391,7 +1383,6 @@ def field(self, size=30, default=None, format=_marker):
 
         The format string is a standard python strftime format string.
         '''
-        self.edit_check()
         if not self.is_edit_ok():
             if format is self._marker:
                 return self.plain()
@@ -1406,8 +1397,8 @@ def field(self, size=30, default=None, format=_marker):
                     raw_value = Date(default, translator=self._client)
                 elif isinstance(default, date.Date):
                     raw_value = default
-		elif isinstance(default, DateHTMLProperty):
-		    raw_value = default._value
+                elif isinstance(default, DateHTMLProperty):
+                    raw_value = default._value
                 else:
                     raise ValueError, _('default value for '
                         'DateHTMLProperty must be either DateHTMLProperty '
@@ -1501,18 +1492,16 @@ def field(self, size = 30):
 
             If not editable, just display the value via plain().
         '''
-        self.edit_check()
+        if not self.is_edit_ok():
+            return self.plain()
 
         if self._value is None:
             value = ''
         else:
             value = cgi.escape(str(self._value))
 
-        if self.is_edit_ok():
-            value = '&quot;'.join(value.split('"'))
-            return self.input(name=self._formname,value=value,size=size)
-
-        return self.plain()
+        value = '&quot;'.join(value.split('"'))
+        return self.input(name=self._formname,value=value,size=size)
 
 class LinkHTMLProperty(HTMLProperty):
     ''' Link HTMLProperty
@@ -1558,8 +1547,6 @@ def field(self, showid=0, size=None):
 
             If not editable, just display the value via plain().
         '''
-        self.edit_check()
-
         if not self.is_edit_ok():
             return self.plain()
 
@@ -1584,8 +1571,6 @@ def menu(self, size=None, height=None, showid=0, additional=[],
 
             If not editable, just display the value via plain().
         '''
-        self.edit_check()
-
         if not self.is_edit_ok():
             return self.plain()
 
@@ -1715,8 +1700,6 @@ def field(self, size=30, showid=0):
 
             If not editable, just display the value via plain().
         '''
-        self.edit_check()
-
         if not self.is_edit_ok():
             return self.plain()
 
@@ -1737,8 +1720,6 @@ def menu(self, size=None, height=None, showid=0, additional=[],
 
             If not editable, just display the value via plain().
         '''
-        self.edit_check()
-
         if not self.is_edit_ok():
             return self.plain()
 

templates/classic/schema.py

@@ -106,10 +106,10 @@
 def own_record(db, userid, itemid):
     '''Determine whether the userid matches the item being accessed.'''
     return userid == itemid
-p = db.security.addPermission(name='View Self', klass='user', check=own_record,
+p = db.security.addPermission(name='View', klass='user', check=own_record,
     description="User is allowed to view their own user details")
 db.security.addPermissionToRole('User', p)
-p = db.security.addPermission(name='Edit Self', klass='user', check=own_record,
+p = db.security.addPermission(name='Edit', klass='user', check=own_record,
     description="User is allowed to edit their own user details")
 db.security.addPermissionToRole('User', p)
 

templates/minimal/schema.py

@@ -37,10 +37,10 @@
 def own_record(db, userid, itemid):
     '''Determine whether the userid matches the item being accessed.'''
     return userid == itemid
-p = db.security.addPermission(name='View Self', klass='user', check=own_record,
+p = db.security.addPermission(name='View', klass='user', check=own_record,
     description="User is allowed to view their own user details")
 db.security.addPermissionToRole('User', p)
-p = db.security.addPermission(name='Edit Self', klass='user', check=own_record,
+p = db.security.addPermission(name='Edit', klass='user', check=own_record,
     description="User is allowed to edit their own user details")
 db.security.addPermissionToRole('User', p)